如何使用AFNetworking比较SSL证书 [英] How to compare SSL certificates using AFNetworking
问题描述
在我的iPhone应用程序中,我使用 https 连接,并使用自签名 SSL 证书进行下载来自服务器的数据(用户名和密码)。
In my iPhone app I'm using an https connection with a self-signed SSL certificate to download sensible data (username and password) from a server.
此应用仅供私人使用,不适合生产。
This app is for private use only, it is not meant for production.
我正在使用 AFNetworking 来管理 https 连接但是,因为我的证书没有签名来自CA,为了使其工作,我必须将以下内容添加到 AFURLConnectionOperation 类的标题中:
I'm using AFNetworking to manage the https connection but, since my certificate isn't signed from a CA, in order to make it work I had to add the following to the header of the AFURLConnectionOperation class:
#define _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ 1
但是这个我的应用程序将允许任何证书。
But with this my app will allow any certificate.
有没有办法只允许我服务器上的证书将其捆绑在应用程序中并将其与https连接中服务器提供的证书进行比较?
如果有可能的话,在安全性方面会有什么显着的优势吗?
Is there a way to allow only the certificate from my server maybe bundling it in the app and comparing it with the certificate provided by the server in the https connection? And if it were possible, would there be any significant advantage in terms of security?
我对安全性很新,我有点困惑。
I'm very new to security and I'm kind of confused.
推荐答案
您正在寻找的术语是 SSL Pinning ,其中应用验证已知证书或公钥与远程服务器提供的证书或公钥匹配。
The term you're looking for is SSL Pinning, where the app verifies that a known certificate or public key matches one presented by a remote server.
AFNetworking支持固定证书或公钥。您需要将证书或公钥添加到应用程序的Bundle中,并通过设置 defaultSSLPinningMode 属性或 SSLPinningMode
AFNetworking supports both pinning with certificates or public keys. You'll need to add the certificate(s) or public key(s) to your app's Bundle, and enable the feature by setting either the defaultSSLPinningMode property on AFHttpClient or the SSLPinningMode property on AFURLConnectionOperation.
您可以使用 AFSSLPinningModePublicKey 或进行固定AFSSLPinningModeCertificate 。 AFSSLPinningModeCertificate 表示服务器的证书必须与捆绑中的证书完全匹配。
You can pin using AFSSLPinningModePublicKey or AFSSLPinningModeCertificate. AFSSLPinningModeCertificate means that the server's certificate must exactly match one of those in the bundle.
AFSSLPinningModePublicKey 更自由,意味着服务器的证书必须与捆绑中的任何公钥匹配,或者捆绑中的证书附加的任何公钥。
AFSSLPinningModePublicKey is more liberal and means that the server's certificate must match for any public key in the bundle, or any public key attached to certificates in the bundle.
这篇关于如何使用AFNetworking比较SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
